analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://wiki.overbyte.eu/arch/openssl-1.0.2q-win32.zip

Full analysis: https://app.any.run/tasks/999449fc-8660-4127-abf4-9e614f5baca0
Verdict: Malicious activity
Analysis date: May 15, 2019, 18:58:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

4E938360405D35E8FA148A6E9454FAEC

SHA1:

3F4DE6F44C1FE5797E114273BADF650FA3A2DA81

SHA256:

0E9ED004C44C3D62061BF5B79ED000D5428A4FBA5C6EB9F288E3BB92BB2975DA

SSDEEP:

3:N1KJMjxc8A+aqRJP4K7n:CC+hAp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 336)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2432)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3676)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3676)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3676)
    • Changes internet zones settings

      • iexplore.exe (PID: 3676)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3676)
      • iexplore.exe (PID: 3204)
    • Creates files in the user directory

      • iexplore.exe (PID: 3676)
      • iexplore.exe (PID: 3204)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3676"C:\Program Files\Internet Explorer\iexplore.exe" http://wiki.overbyte.eu/arch/openssl-1.0.2q-win32.zipC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3204"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3676 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2432"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BSA3U8MC\openssl-1.0.2q-win32[1].zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
336"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 075
Read events
983
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
2
Text files
12
Unknown types
7

Dropped files

PID
Process
Filename
Type
3676iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3676iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF59508AAF628E7463.TMP
MD5:
SHA256:
3676iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5BF3AEA4815C07B7.TMP
MD5:
SHA256:
3676iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8D8D0CBD-7743-11E9-A09E-5254004A04AF}.dat
MD5:
SHA256:
3204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:051DFEED7C0F406D4AC0BD9B2517D157
SHA256:EA33B3FC47FF93A2F448BC0044B8BA36B18E6B9F1AD9823752AE92E71E65E525
3204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BSA3U8MC\openssl-1.0.2q-win32[1].zipcompressed
MD5:38A96B02AAB1183A174D0ADF13F501E4
SHA256:96FD63EB0682FC9F14F3C659181A39CD27D912E95AE0A82132FC087976CD9566
3204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:904504CF869007925731A4F4AC87FCEC
SHA256:8FA02544FD4C255564100ADCF55DCA438DE509C28B81F71B442B5455E3B747DD
3676iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{8D8D0CBE-7743-11E9-A09E-5254004A04AF}.datbinary
MD5:E62CBF3F249D85D941782727ECA396A1
SHA256:62F5FE9E736EACD20AF91349A58D4E5717E8DF5EA07FF068EC91586321322742
3204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019051520190516\index.datdat
MD5:33849A0907BDDE0018ACA48B57D0C888
SHA256:87F49E2E834130668512B3B8FA228120003E34E4508BE8369B3C8EA6B01ECDE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3204
iexplore.exe
GET
200
91.183.89.111:80
http://wiki.overbyte.eu/arch/openssl-1.0.2q-win32.zip
BE
compressed
1.70 Mb
unknown
3676
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3676
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3204
iexplore.exe
91.183.89.111:80
wiki.overbyte.eu
Proximus NV
BE
unknown

DNS requests

Domain
IP
Reputation
wiki.overbyte.eu
  • 91.183.89.111
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info